適用於本機 Android IKEv2 IPsec 的 Strongswan swanctl 配置文件
Android 11 現在似乎支持 IKEv2/IPsec,所以我正在嘗試為它建構一個 roadwarrior swanctl 配置文件。到目前為止,我已經建立了 SA,但隨後立即被刪除。有什麼建議嗎?
Android VPN 配置文件具有:
- 類型:IKEv2/IPsec PSK
- 伺服器:moon.isuldor.com
- IPsec 標識符:isuldor.com 上的 strongswan
- IPsec PSK:獵人2
我的 vpn 網關有:
$ swanctl --version strongSwan swanctl 5.9.0 $ cat /etc/swanctl/conf.d/android11.conf connections { rw-isuldor { local_addrs = moon.isuldor.com pools = android11_pool4, android11_pool6 fragmentation = yes send_cert = always rekey_time = 0s dpd_delay = 30s local { auth = pubkey certs = moon.pem id = moon.isuldor.com } remote { auth = psk id = strongswan at isuldor.com } children { moon { local_ts = 0.0.0.0/0,::/0 rekey_time = 0s dpd_action = clear } } } } secrets { ike-isuldor { id_isuldor = strongswan at isuldor.com secret = hunter2 } } pools { android11_pool4 { addrs = 192.168.2.0/24 dns = 1.1.1.1,1.0.0.1 } android11_pool6 { addrs = 2607:9cf3:0:ae::6:1300/120 dns = 2606:4700:4700::1111,2606:4700:4700::1001 } }
來自 charon-systemd 的相關日誌:
X.X.X.X is initiating an IKE_SA IKE_SA (unnamed)[11] state change: CREATED => CONNECTING selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/MODP_3072 remote host is behind NAT ... looking for peer configs matching Y.Y.Y.Y[moon.isuldor.com]...X.X.X.X[strongswan at isuldor.com] selected peer config 'rw-isuldor' authentication of 'strongswan at isuldor.com' with pre-shared key successful ... peer requested virtual IP %any assigning new lease to 'strongswan at isuldor.com' assigning virtual IP 192.168.2.1 to peer 'strongswan at isuldor.com' peer requested virtual IP %any6 assigning virtual IP <redacted> to peer 'strongswan at isuldor.com' ... CHILD_SA moon{4} established with SPIs cba17603_i 0f8dcc81_o and TS 0.0.0.0/0 ::/0 === 192.168.2.1/32 CHILD_SA moon{4} state change: INSTALLING => INSTALLED generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS DNS) SA TSi TSr ] splitting IKE message (2416 bytes) into 3 fragments generating IKE_AUTH response 1 [ EF(1/3) ] generating IKE_AUTH response 1 [ EF(2/3) ] generating IKE_AUTH response 1 [ EF(3/3) ] sending packet: from Y.Y.Y.Y[4500] to X.X.X.X[38733] (1236 bytes) sending packet: from Y.Y.Y.Y[4500] to X.X.X.X[38733] (1236 bytes) sending packet: from Y.Y.Y.Y[4500] to X.X.X.X[38733] sending packet: from Y.Y.Y.Y[4500] to X.X.X.X[38733] (84 bytes) sending packet: from Y.Y.Y.Y[4500] to X.X.X.X[38733] checkin IKE_SA rw-isuldor[7] sending packet: from Y.Y.Y.Y[4500] to X.X.X.X[38733] checkin of IKE_SA successful received packet: from X.X.X.X[38733] to Y.Y.Y.Y[4500] waiting for data on sockets checkout IKEv2 SA by message with SPIs ce7fea937528e3ca_i 115e7e1303dd7bc4_r IKE_SA rw-isuldor[7] successfully checked out received packet: from X.X.X.X[38733] to Y.Y.Y.Y[4500] (80 bytes) parsed INFORMATIONAL request 2 [ D ] received DELETE for IKE_SA rw-isuldor[7] deleting IKE_SA rw-isuldor[7] between Y.Y.Y.Y[moon.isuldor.com]...X.X.X.X[strongswan at isuldor.com] IKE_SA rw-isuldor[7] state change: ESTABLISHED => DELETING IKE_SA deleted generating INFORMATIONAL response 2 [ ] sending packet: from Y.Y.Y.Y[4500] to X.X.X.X[38733] (80 bytes) checkin and destroy IKE_SA rw-isuldor[7] sending packet: from Y.Y.Y.Y[4500] to X.X.X.X[38733] IKE_SA rw-isuldor[7] state change: DELETING => DESTROYING CHILD_SA moon{4} state change: INSTALLED => DESTROYING deleting policy 0.0.0.0/0 === 192.168.2.1/32 out deleting policy 192.168.2.1/32 === 0.0.0.0/0 in deleting policy 192.168.2.1/32 === 0.0.0.0/0 fwd deleting SAD entry with SPI cba17603 deleted SAD entry with SPI cba17603 deleting SAD entry with SPI 0f8dcc81 deleted SAD entry with SPI 0f8dcc81 lease 192.168.2.1 by 'strongswan at isuldor.com' went offline checkin and destroy of IKE_SA successful
更新:一旦我檢索到 android 日誌,問題就會立即顯現出來。基本上我曾經
adb shell
訪問過設備,然後logcat
使用適當的過濾器。可能有終端應用程序也可以做到這一點。不需要根。130|sargo:/ $ whoami shell 130|sargo:/ $ logcat *:S IkeV2VpnRunner:V --------- beginning of system --------- beginning of main [..] IkeV2VpnRunner: com.android.internal.net.ipsec.ike.exceptions.AuthenticationFailedException: Expected the remote/server to use PSK-based authentication but they used: 14
結論: swanctl 配置文件應該
auth=psk
在該local
部分下和一個附加行為伺服器分配預共享密鑰,例如:id_moon = moon.isuldor.com
在secrets.ike-isuldor
. 這僅適用於 strongswan swanctl5.9.0
,但到目前為止,我無法使用早期版本重現成功5.7.2
。我懷疑語法可能以某種方式發生了變化。但最終的問題是不正確的伺服器身份驗證。
正如客戶端日誌所確認的,它希望伺服器也使用 PSK 進行身份驗證,而不是證書。因此,
local.auth=pubkey
您不必配置local.auth=psk
.請注意,雖然 IKEv2 協議支持在伺服器上使用證書和在客戶端上使用 PSK,但它確實可以防止其他主機知道 PSK 冒充伺服器(每個客戶端都必須知道它並且可以這樣做),它具有與 IKEv2 的 PSK 身份驗證通常存在相同的問題:客戶端在驗證伺服器的身份驗證之前發送 AUTH 有效負載。主動攻擊者可以使用它通過字典或蠻力攻擊來確定弱 PSK。更安全的方法是對伺服器使用證書身份驗證,對客戶端使用基於使用者名/密碼的 EAP 方法(例如 EAP-MD5 或 EAP-MSCHAPv2),因為這樣客戶端僅在驗證伺服器證書後才發送其散列密碼。